I posted to Reddit but thought I’d post here too.
Hi, please direct me somewhere else if this isn’t the place to ask.
My wife had to change phones and can’t get into vaultwarden as her master password is wrong.
The hint verifies she has the correct password but she must’ve substituted a numerical / alpha swap differently and can’t work it out due to rate limiting.
I understand the importance of this password and she shouldn’t have forgot it or at least have it saved somewhere but here we are.
Anyway my question is seeing as I’m the administrator and have full access to the DB can I try to brute force her password against whatever value in the DB directly to avoid rate limits as I know the letters numbers and length used for the password just not the correct substitutions?
If so to save me reading the source code to find out what is the correct format to generate the password hash and which value in the DB do I compare it to to confirm its correct.
I am fine with writing my own script to do this I just need the finer details of what exactly I need to do
My server at the time of password creations / last change is Version 2022.10.1.
Thank you.
UPDATE:
So I tried a few things and they either didn’t work or were too slow but I’m close to a solution. (I have to brutes force around 500,000 password attempts to get back in so I want to compute directly against the master_password_hash)
If you go to Bitwarden Crypto and leave the default values then run the following python 3 script you will see the hashes match therefore I am computing them correctly as per the local / Bitwarden client.
The problem I have is I exported my ‘db.sqlite3’ from vaultwarden and extracted the ‘salt’ and ‘password_hash’ for my account but when I enter my correct login details and the db data into my python script the first two hashes (local / bitwarden client) match but the third hash (server / vaultwarden) doesn’t match.
My iterations all match my settings (100,000) so I cannot see where I am going wrong.
Anyone know what I should be doing for the server side hash calculation so it matches the db?
The official flow for all of this is on the bitwarden GitHub under help/master/images/security-white-paper/bitwarden-password-hashing-key-derivation-encryption.png
(Sorry as a new user, I couldn’t post the link)
Python Code here as couldn’t get it to inline: import hmacimport hashlibimport structimport base64def pbkdf2(digestmo - Pastebin.com